diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-05-19 10:52:27 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-05-25 09:20:37 -0400 |
| commit | be2d37ad3cbb5a36fee410f2e36e53b1ee019f48 (patch) | |
| tree | 1172f66b9cb9a9d8b2e36cb8731915407eaf5c86 /changes | |
| parent | 4165b1a0da893a9f67a2ba32b4fcd54a7804ce14 (diff) | |
| download | tor-be2d37ad3cbb5a36fee410f2e36e53b1ee019f48.tar.gz tor-be2d37ad3cbb5a36fee410f2e36e53b1ee019f48.zip | |
Fix a pointer arithmetic bug in memarea_alloc()
Fortunately, the arithmetic cannot actually overflow, so long as we
*always* check for the size of potentially hostile input before
copying it. I think we do, though. We do check each line against
MAX_LINE_LENGTH, and each object name or object against
MAX_UNPARSED_OBJECT_SIZE, both of which are 128k. So to get this
overflow, we need to have our memarea allocated way way too high up
in RAM, which most allocators won't actually do.
Bugfix on 0.2.1.1-alpha, where memarea was introduced.
Found by Guido Vranken.
Diffstat (limited to 'changes')
| -rw-r--r-- | changes/memarea_overflow | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/changes/memarea_overflow b/changes/memarea_overflow new file mode 100644 index 0000000000..8fdc38cc09 --- /dev/null +++ b/changes/memarea_overflow @@ -0,0 +1,7 @@ + o Minor bugfixes (pointer arithmetic): + - Fix a bug in memarea_alloc() that could have resulted in remote heap + write access, if Tor had ever passed an unchecked size to + memarea_alloc(). Fortunately, all the sizes we pass to memarea_alloc() + are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix + on 0.2.1.1-alpha. Bug found by Guido Vranken. + |